Phishing is a common method used by hackers and scammers to gain access to accounts in only a matter of seconds. Once again, these scammers have found a way to victimize users on the prominent gaming service, Steam.
Obviously, you wouldn’t want your account ending up in the wrong hands, all because you wanted to win a free COVID-19 in-game merchandise. Yes, that’s how these scammers are finding their victims. And the worst part; it’s effective! With skins in CS:GO and DOTA 2 being sold for thousands of dollars, a free item would make anyone covetous.
The credentials-stealing website was first reported by nullcookies on Twitter. Now, the websites are becoming more realistic, with some even pretending to be actual e-Sports organizations. If you’re not alert, you can get scammed without even knowing!
How Does The Steam Scam Work?
Usually, the scammers either comment on your Steam profile or send you a message with the URL to their bogus website or a YouTube video. As soon as users click on the link, they are directed onto a website that claims to provide a free in-game item, such as a “COVID-19 CS:GO case”.
After unveiling the “prize”, the users are then prompted to log into their Steam accounts. Once you’ve entered all the credentials, the website will immediately change your account’s e-mail address and password, and remove any phone number associated with your account. Even if you have Steam Authenticator activated, it will be removed. If you have a recovery e-mail associated with your account, it will be changed.
At this point, you will be spammed with e-mails from Steam Support regarding your account’s details being changed. All of this happens in a matter of seconds, so you’ll have no time to react. Once your account is hijacked, your Steam profile will become private and you’ll be locked out of your account. The website will also send a message to everyone in your friends-list with the URL of the bogus website. If it’s from someone they know, it can be trusted, right?
Why Are Russians After Your Account?
If you become a victim to this scam, you will receive an e-mail from Steam Support informing you that your account was accessed from an unknown country, often Russia. Why do these scammers snip accounts? It’s simple, to sell them illegally! There are numerous accounts that cost thousands of dollars and this is free real-estate for them.
If you’ve become a victim for this scam, don’t worry, you can still retrieve your account. You’re still the owner and you can recover your account by contacting Steam Support. If your account gets hijacked and stolen;
Immediately attempt to log into your account even it is futile to do so. At this point, the scammers will have changed the e-mail address and phone number associated with your account to their own.
Once you’re certain that you don’t have access to the e-mail associated to your account, without any wait, contact Steam Support.
From the options, choose My Account, and then choose My account is stolen or hijacked.
You will then be prompted with instructions on how to secure your account and other preventive measures. You can skip that and go to Change my password underneath Recover my account.
You will be asked you provide the e-mail address associated with your account. Here, you can enter the e-mail address formerly associated with your Steam account.
Since the scammers have removed your e-mail address from the account, you will receive a message on your screen, “Sorry, we were unable to find an email address that matched your search”. You can click on Search with account name beneath that.
It seems counter-intuitive, but the scammers do not change your Steam profile name. You can enter your profile name (not your username), and you will be prompted with two option; to receive a verification code on your e-mail or I no longer have access to this e-mail address. Now, if you observe the e-mail address, you’ll notice that it isn’t yours and doesn’t have a common domain either. Obviously, you have to choose the second option!
After that, you will be directed to fill a contact form with the required information. Remember, you have to state your issue in detail. You should also attach screenshots of any receipts (if any) from your Steam account, and screenshots of the e-mails you received immediately after your account was hijacked. All of this will prove your ownership of the account, so it is critical.
Now comes the worst part; you have to wait. It can take up to 3 days for Steam to respond, and they can ask for more information if needed. Hence, patience is required.
Often, phishing websites feature a poor design and grammatical mistakes, but these scams are becoming far more advanced. Hackers are going the extra mile to make their scams more convincing, and it’s working!